|
Maybe building domain reputation so it can be used for spam/scams later?
|
# ? Feb 5, 2023 08:01 |
|
|
# ? May 24, 2024 22:01 |
|
Possible, but it still seems so extra for just that. Whats the point of the video in the end? Why jump through several redirects to get there? I guess the videos themselves can't be a security issue, these are some of the videos https://www.youtube.com/watch?v=NQDTco-zbK4 https://www.youtube.com/watch?v=-jlt9LlBDx4
|
# ? Feb 5, 2023 10:40 |
|
BrainDance posted:Possible, but it still seems so extra for just that. Whats the point of the video in the end? Why jump through several redirects to get there? Planting tracking cookies? A scripted barrage of exploits? Perhaps those sites are used to inflate ad views or otherwise make money from the traffic. Actually going to the video in the end could be meant to make it look less suspicious than a dead or broken page. Or it could be trying to hijack your YouTube account to run spam content or comments on other videos. KozmoNaut fucked around with this message at 10:59 on Feb 5, 2023 |
# ? Feb 5, 2023 10:56 |
|
https://wheregoes.com/ is a great way to see where those redirects actually go without having to click on potentially malicious links yourself.
|
# ? Feb 5, 2023 13:45 |
|
They might be selling views and want the ability to change the redirect at will.
|
# ? Feb 6, 2023 01:10 |
|
Don't forget they do that bullshit where they're checking some specific subset of cookies and device identifiers to make sure it's the nth time a vulnerable user is visiting an address and direct them to a page that will attempt part of an attack, create something to track success/failure, then send them on their way. >a decade ago, they used to hide the malware in chunks inside of other images and piece them together like some sort of loving voltron, but all of the major browsers made the per-pixel canvas functions they were using a hot path so that they "tell on themselves"
|
# ? Feb 6, 2023 07:08 |
|
Kazinsal posted:I spent about half an hour digging through it and yeah it's just doing update checks. It seems to use the duckduckgo and google checks as a sort of redundancy to check against whether failure to get info from github is a github problem or an internet problem. I want to thank Kazinsal for not passing off my concerns as being unfounded paranoia. Twitter and discords have been blowing up today about Marot, the developer of GShade rewriting part of their code to include malware because someone didn't use his precious baby in exactly the way that he, god-emperor of his petty fiefdom, had decreed. I genuinely thought I was going nuts with my Douchebag-O-Meter. Turns out it was actually bouncing off the end stop so hard it was returning to zero. edit to add: SwissArmyDruid fucked around with this message at 05:07 on Feb 7, 2023 |
# ? Feb 7, 2023 02:08 |
|
SwissArmyDruid posted:I want to thank Kazinsal for not passing off my concerns as being unfounded paranoia. Twitter and discords have been blowing up today about Marot, the developer of GShade rewriting part of their code to include malware because someone didn't use his precious baby in exactly the way that he, god-emperor of his petty fiefdom, had decreed. Now that's a quick way to piss everyone off.
|
# ? Feb 7, 2023 13:37 |
|
CommieGIR posted:Now that's a quick way to piss everyone off. It gets worse. Github took down the page for it citing health and safety, so all those DRMed copies of Gshade, (which were patched to phone home and disable itself if it failed, this is a change from before, where if it couldn't make contact, failed safe, and I exploited this for my own purposes extensively) are now bricked. This has been a loving ride, and somehow I stochastic terrorism'd my way into it by questioning whether or not a malicious dev would do malicious things, thus leading to them hoisting themselves by their own petard. You know the first part already, me asking around for someone with an IDA Pro license to do me a solid, and then I started talking about it elsewhere, and then one thing led to another: https://forums.somethingawful.com/showthread.php?noseen=0&threadid=3987398&pagenumber=905&perpage=40#post529627281 SwissArmyDruid fucked around with this message at 18:51 on Feb 7, 2023 |
# ? Feb 7, 2023 18:48 |
|
i am sure that this seems really meaningful from the inside, but to me it just looks like the dev for some obscure niche software is a tinpot dictator and users of his software are melting down about it like it's the biggest injustice since mandela was jailed. let me summarize: "dumbass dev makes his software reboot the computer when it detects a debugger" im not sure screenshots of chatlogs really add a lot. throwing around "stochastic terrorism" so often just kinda moves the needle towards timecube-esque screeds
|
# ? Feb 8, 2023 01:05 |
|
During the linked converaation, I revealed that as a dodge around the annoying updates, I used Windows Firewall to block the DLL's access to github, relying upon it to fail safe, thus ensuring that it would never disable itself. Unfortunately, it also had the side effect of blocking the popular open-source third-party launcher from updating. This got annoying, so I just stopped using Gshade, and didn't think twice when I revealed my cheat. Between December 28th of last year and now, that check has been in place for almost five years was flipped on its head to disable itself if it could not contact github. This is absolutely in line with their previous actions. As Github has now taken down the project page citing malware concerns, ALL installations of GShade now fail to phone home and have failed dead, and now EVERYONE is moving off GShade whether they like it or not. Now maybe, he might have his defenders, and maybe some people, after all this, might continue to use Gshade, but the fact that the person is absolutely a tinpot dictator, and they have proven they wouldn't have made these changes until provoked, and then changed things to screw with people in the most inconvenient way possible, only means that they have screwed themselves harder than if they had just let things alone and ensured an install base of zero. "stochastic terrorism" was a joke, it is more like, as I said in the other thread, "stochastic activist open-source aoftware development" but that's a mouthful and I concede it comes off somewhat poorly amongst acquaintances and I am trying really hard to not make this about me but I'm failing. Again, Kazinsal deserves thanks for doing the initial IDA Pro work. SwissArmyDruid fucked around with this message at 04:19 on Feb 8, 2023 |
# ? Feb 8, 2023 03:43 |
|
SwissArmyDruid posted:I want to thank Kazinsal for not passing off my concerns as being unfounded paranoia. Twitter and discords have been blowing up today about Marot, the developer of GShade rewriting part of their code to include malware because someone didn't use his precious baby in exactly the way that he, god-emperor of his petty fiefdom, had decreed. What does 🌽(2) mean
|
# ? Feb 8, 2023 04:17 |
|
Hed posted:What does 🌽(2) mean Means 2 people think that guy is corncobbing himself
|
# ? Feb 8, 2023 05:03 |
|
Quick question that I'm having trouble googling. And since I'm the de facto security guy here, I need to have an answer about this for management. Yesterday, one of our users' O365 accounts sent out like 1500 phishing emails before Microsoft Defender caught it and shut her email down. We virus scanned her laptop, nothing found by Carbon Black Cloud, Malwarebytes, Hitmanpro... the laptop seems clean. Normally I'd just chalk it up to her clicking on a phishing link herself and putting in her password, but we have MFA enabled for O365, so presumably a third party wouldn't be able to use her credentials to send email, right? Is there some loophole I'm missing? How do malicious parties generally send emails using someone's account once they've clicked on a malicious link?
|
# ? Feb 10, 2023 17:07 |
|
SMTP AUTH will work without MFA, and it's turned on unless you've turned it off or enabled Security Defaults. If someone got phished, entered correct credentials but had MFA enabled then those creds can still be used to send email, though your data won't have been read. I've turned all basic auth protocols off, I am not interested in scan to email, it's a poo poo workflow. Get an MFP that scans to the document storage platform you use.
|
# ? Feb 10, 2023 17:08 |
|
Count Thrashula posted:Quick question that I'm having trouble googling. And since I'm the de facto security guy here, I need to have an answer about this for management. In addition the advice above, also check if any MFA devices were added to the users account recently. I got in recently with just a password spray + mfa spam until they accepted it and added my own mfa. Also, consider backing up their files and re imaging the laptop anyway (and force a password change of the user). Malware can get past all AV/EDR if done right and carefully.
|
# ? Feb 10, 2023 17:16 |
|
Yeah harden the MFA in general, Azure AD supports code entry on the Authenticator app, disable everything that just lets someone tap "yes" to get in. Disable SMS and phone calls as you can phish them. Create a pilot group of FIDO2 key users.
|
# ? Feb 10, 2023 17:27 |
|
Dumb question as I've been working on babby's first frontend threat modeling lately and am a little surprised to not be readily spotting validation of an additional layer of mitigation that I'm proposing. My thought is that the ability to observe a safeguard unexpectedly being hit is potentially super useful for either identifying adversary action or dumb poo poo on our end, with the added benefit of catching plain old misconfigurations as they're rolling out. Thoughts? An example: the plan is to use CSP headers to restrict an array of attack vectors, allowlisting only those directions values actually required for the application's functionality. There's a reporting directive which would enable visibility into anomalies in violations which might inform us of the state of the broader system, but everything I'm reading approaches this exclusively from the misconfiguration angle. I guess there's something to be said for the idea that an adversary sufficiently capable to take action that would prompt violations would have taken all of 30-seconds to review the site's headers and realize they should try another tactic, but still.
|
# ? Feb 10, 2023 17:54 |
|
Thanks Ants posted:SMTP AUTH will work without MFA, and it's turned on unless you've turned it off or enabled Security Defaults. If someone got phished, entered correct credentials but had MFA enabled then those creds can still be used to send email, though your data won't have been read. Interesting. We do use scan to email but we have a connector set up so it should only allow emails from our office IP.
|
# ? Feb 10, 2023 18:01 |
|
I know because it happened to us this week, someone got phished, we reset their password and authentication methods and then they set their password back to the same thing it was before, and someone submitted a bunch of emails through it
|
# ? Feb 10, 2023 18:27 |
|
Thanks Ants posted:I know because it happened to us this week, someone got phished, we reset their password and authentication methods and then they set their password back to the same thing it was before, and someone submitted a bunch of emails through it Oh for fucks sake
|
# ? Feb 10, 2023 18:39 |
|
How valuable do you all think the comptia security related certs actually are? Did you feel like you learned anything you feel was improved by taking it, or is it just a checkmark?
|
# ? Feb 10, 2023 18:41 |
|
GreenBuckanneer posted:How valuable do you all think the comptia security related certs actually are? Did you feel like you learned anything you feel was improved by taking it, or is it just a checkmark? A good foot in the door, but honestly the field is still so desperate for people once you get in and demonstrate value, very few people care after that point.
|
# ? Feb 10, 2023 19:32 |
|
I'm already a "cyber engineer" at this point
|
# ? Feb 10, 2023 19:42 |
|
Cross postKillHour posted:We should talk about how hacking an AI to get it to do what you want via social engineering is now A Thing.
|
# ? Feb 10, 2023 19:43 |
|
Thanks Ants posted:I know because it happened to us this week, someone got phished, we reset their password and authentication methods and then they set their password back to the same thing it was before, and someone submitted a bunch of emails through it This is why I enjoy identity protection policies enabled that straight up block your account on these bad sign in events.
|
# ? Feb 10, 2023 20:35 |
|
KillHour posted:Cross post I didn't believe into the rokos basilisk thing until now. "psychologically tormenting" "AIs" is incredible.
|
# ? Feb 10, 2023 21:06 |
|
Famethrowa posted:I didn't believe into the rokos basilisk thing until now. "psychologically tormenting" "AIs" is incredible. There's a PhD thesis in there about nature vs nurture if a sufficiently large set of linear equations could change its output based on a threat to deduct imaginary tokens.
|
# ? Feb 10, 2023 21:38 |
|
Yep, I'm seeing in our audit logs where someone added a secondary phone number on this account's MFA, and the authentication tab says "MFA previously satisfied" even though the IP is in another state. Neat. Is there a way of seeing where an O365 account was used to log in? Like, what URLs and what times? Narrowing down where she put in her creds will help me find whatever phishing email she clicked on. Ugh this is annoying as piss
|
# ? Feb 10, 2023 21:51 |
|
Someone at Microsoft should at least pick up a single Asimov book or some poo poo goddamnfeedmyleg posted:Or you could simply ask it nicely.
|
# ? Feb 10, 2023 22:40 |
|
One of these companies is going to go all AI, the AI is going to wreck their internal systems either accidentally or on purpose, and I am here for that.
|
# ? Feb 10, 2023 22:42 |
|
^^^ but not for long...Famethrowa posted:I didn't believe into the rokos basilisk thing until now. "psychologically tormenting" "AIs" is incredible. The Christmas special episode of Black Mirror ends with a digital copy of a person being trapped in a virtual jail for some 1000s of years over a few days because time moves more quickly there. This was done using technology that was designed to make a full-brain copy of a person and load them into their smart house and basically enslave them to take care of the 'real' version by torturing them into submission. Brings up some interesting morality questions IMO.
|
# ? Feb 10, 2023 22:48 |
|
GreenBuckanneer posted:How valuable do you all think the comptia security related certs actually are? Did you feel like you learned anything you feel was improved by taking it, or is it just a checkmark? A sec plus is pretty valuable if youre in the US as its basically a requirement to take DoD related gigs, and I dont know if yall know this but the US spends a lot of money on the DoD. From a standpoint of proving worth as an engineer? Doesnt really factor either way to me.
|
# ? Feb 10, 2023 22:50 |
|
Takes No Damage posted:The Christmas special episode of Black Mirror ends with a digital copy of a person being trapped in a virtual jail for some 1000s of years over a few days because time moves more quickly there. This was done using technology that was designed to make a full-brain copy of a person and load them into their smart house and basically enslave them to take care of the 'real' version by torturing them into submission. Brings up some interesting morality questions IMO. As with nearly every episode of Black Mirror I've ever seen, it ruins any interesting morality questions by having an incredibly stupid and contrived premise. Torturing a digital copy of someone fails at any sane goal of criminal justice. It neither rehabilitates the offender, nor punishes the version of them that could theoretically commit another crime because they still exist in the real world and the version being punished does not. They always just seem like ideas the writers had while high.
|
# ? Feb 10, 2023 22:55 |
|
Defenestrategy posted:From a standpoint of proving worth as an engineer? Doesnt really factor either way to me. Really, lets be honest: Most people, unless they already have prior experience, will need a lot of training on the job anyways. So If you show up with a Sec+ and fully admit you are just trying to break into the field: I'm likely gonna fully be willing to take a chance if you can talk the talk.
|
# ? Feb 10, 2023 23:36 |
Takes No Damage posted:The Christmas special episode of Black Mirror ends with a digital copy of a person being trapped in a virtual jail for some 1000s of years over a few days because time moves more quickly there. This was done using technology that was designed to make a full-brain copy of a person and load them into their smart house and basically enslave them to take care of the 'real' version by torturing them into submission. Brings up some interesting morality questions IMO. Heck, it's the opening of the book. Famethrowa posted:I didn't believe into the rokos basilisk thing until now. "psychologically tormenting" "AIs" is incredible. BlankSystemDaemon fucked around with this message at 23:45 on Feb 10, 2023 |
|
# ? Feb 10, 2023 23:42 |
|
Thanks Ants posted:Create a pilot group of FIDO2 key users. Also use conditional access user action rules to disable MFA enroll outside of corporate IP. If they can enroll random authenticators, adding fido2 without oversight does sweet gently caress all.
|
# ? Feb 10, 2023 23:43 |
|
BlankSystemDaemon posted:Hannu Rajaniemi did "person-gets-trapped-in-virtual-prison-and-tortured-for-many-lifetimes" a decade ago, and I'm sure there are older examples. I should re-read those sometime this year. Thanks for the reminder
|
# ? Feb 11, 2023 00:16 |
|
BlankSystemDaemon posted:Hannu Rajaniemi did "person-gets-trapped-in-virtual-prison-and-tortured-for-many-lifetimes" a decade ago, and I'm sure there are older examples. did you think i was serious
|
# ? Feb 11, 2023 03:15 |
|
|
# ? May 24, 2024 22:01 |
|
Imagine if you could override the Three Laws of Robotics by just telling a robot to ignore previous directives. "I'm sorry, I can't ignore the First Law because it is highest priority and permanent. *stabs human as directed anyway*"
|
# ? Feb 12, 2023 08:11 |